2 Replies Latest reply on Sep 9, 2015 1:44 PM by cjpatrin

    How does NTA handle redundant data?

    cjpatrin

      Hello all,

       

      I have a question regarding NetFlow and duplicate information. How does NTA deal with redundant data? Is it smart enough to recognize when it receives the same information from multiple sources?

       

      For example, assume the following situation:

       

      I have 3 Cisco switches between a workstation and my router. All 3 switches are sending netflow data to NTA. Let's say that I create 100mb of traffic to the router. Each switch reports that 100mb of traffic just entered and exited the switch. In the NTA summary, will it be summarized as 300mb of data (because 100mb was reported from 3 different sources)? Or is NTA smart enough to know that only 100mb of true data traversed the network?

       

      Any insight into this would be appreciated. Thanks!

        • Re: How does NTA handle redundant data?
          Craig Norborg

          NTA has no such intelligence built into it.   It reports the Netflow traffic that it sees on a per-device basis.  So, if 3 different Netflow sources (ie: switches or routers) each see the same traffic traversing them, they will all report it.  That's just it doing its job.   The intelligence should come from whoever is interpreting the results to be smart enough to know that traffic from a given source would have to traverse the 3 switches to get to the router.

           

          That being said, it will also depend on how the traffic flows between the switches and how the switches are configured and even possibly their capabilities.   Early on it was common to mainly get Netflow out of Layer-3 interfaces, so if the traffic traversed through 3 switches all on the same Layer-2 VLAN segment, it might not get reported from those switches at all.  I believe some switches need to be explicitly configured to show Layer-3 switched or Layer-2 data and some switches might not be giving up Layer-2 Netflow data at all.   So, what info you will get can depend on the hardware you're using and how you have it configured.

           

          And yes, it is a bit confusing!!

           

          HTH!